文档首页/ MapReduce服务 MRS/ 用户指南/ 管理MRS集群/ 管理MRS集群元数据/ 配置MRS集群元数据存储至LakeFormation(未开启Kerberos认证)/ 配置MRS组件授权/ LakeFormation委托用户权限参考
更新时间:2025-12-11 GMT+08:00
查看PDF
分享

LakeFormation委托用户权限参考

当MRS对接LakeFormation后,LakeFormation委托用户通过Spark、HetuEngine等执行SQL时所需的LakeFormation权限参考如下所示。

  • DDL Statements
    表1 DDL Statements

    DDL语句

    元数据LakeFormation鉴权所需权限

    ALTER DATABASE

    database:describe

    database:alter

    ALTER TABLE

    database:describe

    table:describe

    table:alter

    ALTER VIEW

    database:describe

    table:describe(source\target\new)

    table:alter

    CREATE DATABASE

    catalog:createDatabase

    CREATE OR REPLACE

    FUNCTION (create)

    database:describe

    function:describe

    database:createFunction

    CREATE OR REPLACE

    FUNCTION (replace)

    database:describe

    function:describe

    function:alter

    CREATE TABLE

    database:describe

    table:describe

    database:createTable

    CREATE VIEW

    database:createTable

    table:describe(source\targer)

    table:drop(target)(替换)

    tableLocation:R

    DROP DATABASE

    database:drop

    DROP FUNCTION

    database:describe

    function:describe

    function:drop

    DROP TABLE

    database:describe

    table:describe

    table:drop

    DROP VIEW

    database:describe

    table:describe(target\source)

    table:drop(target)

    REPAIR TABLE

    database:describe

    table:describe

    table:alter

    TRUNCATE TABLE

    database:describe

    table:describe

    DELETE TABLE

    database:describe

    table:describe

    table:alter

    USE DATABASE

    database:describe
  • DML Statements
    表2 DML Statements

    DDL语句

    调用元数据接口需要LakeFormation权限

    INSERT TABLE

    database:describe

    table:describe

    table:alter

    INSERT OVERWRITE DIRECTORY SELECT

    database:describe

    table:describe

    INSERT OVERWRITE DIRECTORY

    LOAD DATA

    database:describe

    table:describe
    • Hive对接时,INSERT TABLE会调用HiveExternalMetastore loaddata接口,间接调用altertable接口。
    • load data时spark会移动来源文件夹,删除表文件夹导致相关OBS权限丢失,需要另外赋予OBS权限到上级目录。
  • Data Retrieval Statements
    表3 Data Retrieval Statements

    DDL语句

    调用元数据接口需要LakeFormation权限

    SELECT Statement

    database:describe

    table:describe

    EXPLAIN

    取决于执行sql
  • Auxiliary Statements
    表4 Auxiliary Statements

    DDL语句

    调用元数据接口需要LakeFormation权限

    ADD FILE(OBS)

    ADD JAR(OBS)

    ANALYZE TABLE

    database:describe

    table:describe

    table:alter

    CACHE TABLE

    database:describe

    table:describe

    CLEAR CACHE

    DESCRIBE DATABASE

    database:describe

    DESCRIBE FUNCTION

    database:describe

    function:describe

    DESCRIBE QUERY

    database:describe

    table:describe

    DESCRIBE TABLE

    database:describe

    table:describe

    LIST FILE

    LIST JAR

    REFRESH

    REFRESH TABLE

    database:describe

    table:describe

    REFRESH FUNCTION

    database:describe

    function:describe

    RESET

    SET

    SHOW COLUMNS

    database:describe

    table:describe

    SHOW CREATE TABLE

    database:describe

    table:describe

    SHOW DATABASES

    catalog:listDatabase

    SHOW FUNCTIONS

    database:describe

    无(通过describe权限过滤)

    SHOW PARTITIONS

    database:describe

    table:describe

    SHOW TABLE EXTENDED

    database:describe

    table:describe

    database:listTable

    SHOW TABLES

    database:describe

    database:listTable

    SHOW TBLPROPERTIES

    database:describe

    table:describe

    SHOW VIEWS

    database:describe

    database:listTable

    UNCACHE TABLE

    database:describe

    table:describe
    • 通过Hive对接时,Spark会通过HiveExternalCatalog调用alterTableStats,将分析数据写入表属性中。
    • listTableNames、listDatabaseNames需要具有catalog:listDatabase、database:listTable权限,否则将会返回空列表。
    • 不支持分区鉴权,即column:select鉴权时不对涉及的分区进行鉴权。
    • 当用户拥有任意权限,即可以视为拥有use权限。
父主题: 配置MRS组件授权

相关文档